PCI London: Time to think bigger?

20th PCI London23 January 2020, London, UK

Matching compliance to risks

The problem with many compliance regimes is that they effectively ignore the realities of risk. They assume that a particular risk must be 'solved', and then evolve a set of ever more complex rules to achieve this.

They tend not to seek to quantify the risk they are designed to mitigate, nor to place that risk in the context of a real-world business and all the other operational risks it faces, nor to think realistically about whether the costs of the regime itself are appropriate to how these risks manifest.

They also struggle with the idea of risk as a variable on a sliding scale, rather than as an absolute, and generally do a poor job of understanding whether the regime is executable by the types and number of staff available to do it.

All of these criticisms have, at one time or another, been levelled at the PCI DSS regime.

But the introduction of GDPR and a year's worth of enforcement action have given companies real risk management data on data security and privacy.

The level of GDPR fines, the amounts relative to the nature of the violations and to the sizes of the companies involved, provide management with the first real, public data needed to begin a proper risk modelling process. It allows them to look at expected losses, and therefore the budgets and organisational structures that are needed to manage data privacy and security across the business.

And this is raising significant new questions for compliance heads:

If violations of GDPR cost firms more than violations of the PCI DSS, what does that mean for budget allocation?

How should teams reflect the overlap between GDPR and PCI DSS compliance in terms of the activities and skillsets required?

Should PCI DSS compliance be completely outsourced, with those third party practitioners plugged into the GDPR or wider compliance team?

Does it still make sense to think about specific PCI DSS technologies and solutions, or are more generalised products available?

Will PCI DSS v4.0 alter the answers to some of these questions?

The 20th PCI London will look at the latest in the processes and technologies used to protect payment and personal data. There will be real-life case studies, strategic talks and technical break-out sessions from PCI DSS and compliance teams behind some of the world's most admired brands, who know, just like you, that payment security is now more important to business than ever.